BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details
13
Global rank
23 infographic chevron month
Month rank
23 infographic chevron week
Week rank
2819
IOCs

Vidar is a dangerous malware that steals information and cryptocurrency from infected users. It derives its name from the ancient Scandinavian god of Vengeance. This stealer has been terrorizing the internet since 2018.

Trojan
Type
ex-USSR
Origin
1 December, 2018
First seen
28 March, 2024
Last seen

How to analyze Vidar with ANY.RUN

Type
ex-USSR
Origin
1 December, 2018
First seen
28 March, 2024
Last seen

IOCs

Hashes
b6a654cadd98cb9ba6881193905c8923ac3b2904526e28c79827b6f62edfa322
ffaed8dcf0282df833b74faf419729dc20951ee7edbb58103fa5c582e93d5f3a
44d01cb3f61542fe6958a4d9e691e7a643679f5ac88df5ce6560136c8fd7f334
13e384c54054a094b8045928c8ec9d3697372e551e4887b4ea9e18e319f0f40b
48b7d39b9c19b0e6131928830add88e9c43e01e8218db17877abca9a65d14a5d
1eda38c94d7896c350c73e5ac87cf2cd65e96ba7d03cddc7f1302c5d1b65ca88
357c6677b38772cb2dc35ba1db320b3740a601bb2665700437af2f277741c8d9
d9b498faf01b9eb598761915a6fc2fb4f1ab2317d354348baca6794730fd15d3
726855dc870ed0224d91891b898e542393149b0eaef7817aa332b71c13b22ae0
fc5336b039a9cc8e14d515f338c90a5a404249adab200032324c65f055904255
0e9783330259b925379f44dfdc9e8f86b545ad43e8b747a8214a7d7e7617940e
1412834388380f678cedd1859951adef8bd6de45dad85373c0ca447ed99ab66c
defa200ab34c79bafdab4300726314b9d890dcd25ceef7aabdea60dea8f95de9
7aca443a075bae5a4871c31dd8b7684f12f0c924b38307fe10501b06001d0496
692fe3aca06ef0e1582fcf692dfd0e2e38e1b542368848318e0095a8f85f3d77
9b7b45434353b99f97d33f44e225e71b9c164cd21ae56335c078cca20ae29c1d
2e205ecc398903361efb69b5790716a47b76301e7b8ad3be506fbde96ee6ffe7
e0463b5d50bc14313cc77cd321893788e68b2741c7db81a391837f797c5704a1
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
3af933d827202138762f1804935bbb1ce58aa78aaaa5ae30f4f27152896d80fc
URLs
http://167.235.207.130/
http://167.235.207.130/vcruntime140.dll
http://167.235.207.130/softokn3.dll
http://167.235.207.130/nss3.dll
http://167.235.207.130/msvcp140.dll
http://167.235.207.130/freebl3.dll
http://167.235.207.130/mozglue.dll
http://167.235.207.130/sqlm.dll
http://45.144.28.165:49119/
http://45.144.28.165:49119/vcruntime140.dll
http://45.144.28.165:49119/softokn3.dll
http://45.144.28.165:49119/nss3.dll
http://45.144.28.165:49119/msvcp140.dll
http://45.144.28.165:49119/freebl3.dll
http://45.144.28.165:49119/mozglue.dll
http://45.144.28.165:49119/sql.dll
http://safetygear.pk/ghjk.exe
http://scientific.pk/ghjkl.exe
http://gg.gemkan.online/gate.php
http://xxxze.co.nu/msvcp140.dll
Last Seen at

Recent blog posts

post image
Basic Malware Packers: What are They and How...
watchers 551
comments 0
post image
New BunnyLoader Version Gains Modular Capabil...
watchers 201
comments 0
post image
What are Threat Intelligence Feeds? 
watchers 179
comments 0

What is Vidar malware?

Vidar is an information stealer trojan that was first identified in December 2018. It is either a fork of Arkei or the result of its evolution. Named after the god of vengeance from Scandinavian mythology, Vidar is used to steal information from infected systems, take screenshots, steal cryptocurrency, and more.

General description of Vidar malware

Vidar is presumed to have originated in a Russian-speaking country since the malware is configured to stop execution if it detects that it is being run on a machine that is located in one of the ex-USSR nations or on one that has a Russian keyboard layout.

Being another cyber threat that is available for purchase based on the MaaS ( Malware-as-a-Service ) business model, Vidar can be purchased on its “official” website for a hefty price tag of $700, at least for the PRO version. Though, a stripped-down version of the malware can be obtained for just $250.

According to the Vidar trojan analysis, malware is written in the C++ programming language. Purchasing account grants the attacker access to a control panel where the cybercriminal can set up the infostealer malware to target particular information on the victims’ PC. Like Arkei, cybercriminals need to take precautions to secure the main payload themselves, using crypto or a packer. The control panel displays the current builder version, user settings, malware status, and logs. It should be noted that Vidar data stealer uses domain names to search for C&C servers, where stolen data is being dropped, changing every four days. Though they are steadily changing, a constant response is required.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Vidar is capable of stealing text files in multiple formats, browser cookies and history, browser records, including data from TOR, as well as autofill value information, including banking and credit card details. Based on the Vidar analysis, the stealer malware can search for cryptocurrency wallet information, take screenshots and act as a message stealer, recording private messages from various software.

What’s more, Vidar is also known to be able to steal digital coins from offline wallets. In fact, holders of Litecoin, Bitcoin, Ethereum, Zcash, and DashCore are in potential danger, as these are the cryptocurrencies currently supported by this infostealer malware.

After collecting all targeted information, this stealer malware archives it and sends the stolen data to a control server, after which Vidar removes traces of its work and deletes itself from the system.

Vidar analysis

A video recorded in ANY.RUN malware hunting service allows us to take a closer look at the lifecycle of Vidar and perform Vidar analysis by themselves.

arkei execution process tree

Figure 1: A visual process graph generated by ANY.RUN

text report of the arkei malware analysis

Figure 2: The customizable text report provided by ANY.RUN is a perfect tool to share the results of an analysis

Vidar execution process

According to the Vidar analysis, after the user downloads and runs a malicious file, it spawns a child process and collects information from the infected system. Often, after the information was collected, the malware kills and deletes itself from the system through a command-line command.

How to avoid infection by Vidar malware?

When spread via spam email campaigns like NanoCore or Agent Tesla, the Vidar stealer requires the user to download and run a malicious file to enter an active state and begin execution. Therefore, following some basic cybersecurity rules can ensure that users will stay safe from Vidar malware and the incident response team will work effectively.

As such, users should be careful when downloading attachments in emails from unknown senders. The best practice is to avoid downloading such files altogether, therefore not putting oneself in danger at all.

In addition, downloading only licensed software from trustworthy sources and avoiding gaming hacking clients greatly reduced the risk of being infected with malware such as Vidar trojan, which uses these attack vectors to infect victims.

The distribution process of Vidar

According to the Vidar trojan analysis, Vidar is distributed through spam email campaigns as a malicious attachment, like other malware. In addition, cases of Vidar being distributed using shady software and gaming hack clients have also been recorded. Vidar infostealer targets users all over the world, except some ex-USSR countries, including Russia.

How to detect Vidar using ANY.RUN?

Some malware creates files in which it named itself. You can find such info about Vidar trojan using ANY.RUN's "Static Discovering" during your Vidar analysis. Open either the "Files" tab in the lower part of the task's window or click on the process and then on the "More Info" button in the appeared window. After that, all you need to do is click on the file.

arkei vidar log file Figure 3: Vidar's log file

Conclusion

Vidar is a hazardous information stealer trojan, distributed as malware as a service. Thanks to its extensive stealer feature set, Vidar trojan can be used to retrieve a wide variety of information, including stealing select cryptocurrency coins from the users. Additionally, Vidar is capable of stealing data from TOR.

Thankfully, malware hunting services like ANY.RUN allows researchers to conduct extensive studies of malware samples in a secure environment, allowing them to spread information about the danger and develop effective countermeasures and incident response.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy